SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #19

March 07, 2008

A very interesting gathering on web application security coming up in June in Las Vegas. The top technical experts in application security (Jeremiah Grossman, Gary McGraw, and Caleb Sima, just to name three) will present the newest attack techniques and the most promising mitigations they have found. They will be joined by application security managers from more than a dozen of the most experienced banks and other user organizations who will tell what works and what doesn't work and share the lessons they learned in implementing application security initiatives. Add to that the technical folks from every important application security vendor, sharing their newest tools, and you will walk away with the key things needed to move forward confidently in improving application security. There are also several sources for those who want more in-depth training. Information at http://sans.org/info/24609

Alan
PS. 80% of the new attack vectors are using application security flaws, so if you don't have an application security initiative underway, you are leaving yourself open to simple and sophisticated attacks.

---

TOP OF THE NEWS

Military Asks Google to Remove Base Images from Street View
USAF Plans New Cyberspace Command
Swiss Bank Drops Lawsuit in Wikileaks Case

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Goal Financial Settles FTC Charges
10 Months in Prison for Hotel Business Kiosk Hacker
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
UK Website Shuts Down After Being Inundated with USAF eMail
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Judge Allows RIAA to Subpoena Univ. to Obtain Students' Identities
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft's March Security Update to Comprise Four Bulletins
Chinese Mobile Phone Ransomware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Thirty Thousand PCs and Macs used In "Overwhelming" DDoS Attack on UK Gambling Site
Children's Personal Data on Stolen Memory Stick
STATISTICS, STUDIES & SURVEYS
Survey: National Security Outweighs Privacy
MISCELLANEOUS
US $76 Million Worth of Counterfeit Cisco Products Seized
LIST OF UPCOMING FREE SANS WEBCASTS

---

****************** Sponsored By Clearwell Systems ***********************

Free Webinar: Best Practices for Corporate Investigations --- Presented by Cisco's Joel Yusim, this online seminar on March 18th will detail best practices for performing corporate investigations. Attend and learn how to audit your current internal investigation process, implement several best practices, and solve internal investigations more quickly and accurately. http://www.sans.org/info/25379

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Military Asks Google to Remove Base Images from Street View (March 6, 2008)

The US military has asked Google to remove certain images from its Street View service because they pose a threat to the security of military bases. The military is especially concerned with images that show details of security at base entrances. The military has also banned Google from taking videos at its bases after footage was filmed at one Texas army base. Google says that it does not "seek access to military bases" private roads, or posted no trespassing areas." A Google spokesman said the company has complied with the military's requests.
-http://www.msnbc.msn.com/id/23505366/
-http://ap.google.com/article/ALeqM5gJWAqizzLP80ddn0-BHPl7hy1uvgD8V84NVO0
-http://afp.google.com/article/ALeqM5i3BOMCwxbAZg_Nfh9OyIAYPTlSQA

USAF Plans New Cyberspace Command (March 5, 2008)

The US Air Force plans to establish a cyber command that is expected to be operational by October of this year. According to a recently released document, Air Force Cyber Command Strategic Vision, "Mastery of cyberspace is essential to America's national security." In addition, the "cyberspace command will provide combat-ready forces trained and equipped to conduct sustained combat operations through the electromagnetic spectrum and fully integrate these with air and space operations."
-http://www.theregister.co.uk/2008/03/05/air_force_cyber_command/print.html
-http://www.afcyber.af.mil/shared/media/document/AFD-080303-054.pdf

Swiss Bank Drops Lawsuit in Wikileaks Case (March 5 & 6, 2008)

Bank Julius Baer has dropped its lawsuit against Wikileaks.org. The Swiss financial institution originally brought the suit because it claimed sensitive bank data were posted on the Wikileaks site and it wanted them removed. The judge in the case initially ordered that Wikileaks.org be shut down, but reconsidered and reversed his decision due to First Amendment concerns. Bank Julius Baer is now seeking other avenues to removing the documents.
-http://www.msnbc.msn.com/id/23488121/
-http://www.forbes.com/facesinthenews/2008/03/06/wikileaks-switzerland-tax-face-m
arkets-cx_ll_0306autofacescan01.html
[Editor's Note (Shchultz): Julius Baer's wanting the sensitive documents removed is making less sense over time. The damage has already been done in that the information in these documents has been publicly available for an extended period of time. ]

---

************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/25384

2) PacketMotion delivers unprecedented visibility and real-time control of insider threats. Learn more and first 100 respondents receive a complementary Elsevier book "Insider Threat" - $35 value. http://www.sans.org/info/25389

3) Live Webcast March 18th. Listen to Hertz, Forrester, and GuardianEdge Discuss Endpoint Data Protection - Beyond Encryption. Register Now! http://www.guardianedge.com/eseminar/monthly/invite/ge/index.php?esemp=sans

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Goal Financial Settles FTC Charges (March 4 & 6, 2008)

Goal Financial has agreed to change the way it protects customer data to settle Federal Trade Commission (FTC) allegations that it failed to take proper safeguards with the student loan data it held. Between 2005 and 2006, two employees accessed personal information of approximately 7,000 customers and brought it to a competing company. Also, the company allowed an employee to sell a hard drive with unencrypted personal data of approximately 34,000 customers. The compromised data include names, birth dates, Social Security numbers (SSNs), and income and employment information. Goal Financial will put in place a comprehensive security program that includes independent audits every two years.
-http://www.cio.com/article/192255/FTC_Settles_Breach_Complaint_with_Student_Lend
er
-http://www.scmagazineus.com/Student-loan-company-settles-with-FTC-over-data-mish
andling/article/107705/

10 Months in Prison for Hotel Business Kiosk Hacker (March 3, 2008)

Hario Tandiwidjojo has been sentenced to 10 months in prison for stealing credit card information from hotel business kiosks. In December, Tandiwidjojo pleaded guilty to unauthorized access to a protected computer and admitted to breaking into about 60 computers with passwords he obtained when he was employed by a company that serviced the kiosks. He installed software that captured the sensitive data and sent them back to him. Tandiwidjojo was also ordered to pay US $34,266 in restitution for fraudulent charges made on the stolen accounts.
-http://losangeles.fbi.gov/dojpressrel/pressrel08/la030308usa.htm

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

UK Website Shuts Down After Being Inundated with USAF eMail (March 3 & 4, 2008)

The website www.mildenhall.com has been shut down because it was receiving classified email intended for US Air Force personnel at a nearby airbase. The site's owner had been trying to solve the problem for years and until recently, the Air Force did not take him seriously. He tried blocking unrecognized addresses within his domain and established an auto-reply to let people know the correct address for Air Force personnel. He finally closed the site that he had established to promote his town of the same name.
-http://www.theregister.co.uk/2008/03/03/mildenhall_website/print.html
-http://news.bbc.co.uk/2/hi/uk_news/england/suffolk/7277392.stm

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Judge Allows RIAA to Subpoena Univ. to Obtain Students' Identities (March 4, 2008)

A federal judge has granted a request from the Recording Industry Association of America (RIAA) to subpoena the University of Arizona (UA) to surrender information identifying 14 students the RIAA believes have violated copyright law. Universities usually have 30 days to comply with the subpoenas; the RIAA is likely to contact UA within the next week. The RIAA sent 14 prelitigation letters to the university in early December; the students have been identified only as John Does. UA decided not to send those letters on to the students.
-http://www.azstarnet.com/metro/228226

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft's March Security Update to Comprise Four Bulletins (March 6, 2008)

According to Microsoft Advance Notification, the company will release four security bulletins on Tuesday, March 11. All four bulletins carry a severity rating of critical. Three of the bulletins will address flaws in Microsoft office; the fourth will address flaws in Microsoft Office Web Components. The vulnerabilities affect Microsoft Office 2000, Office XP, Office 2003, Excel, Office Outlook and Office for Mac.
-http://www.eweek.com/c/a/Security/Microsoft-Critical-MS-Office-Patches-Coming/
-http://www.microsoft.com/technet/security/Bulletin/MS08-mar.mspx
[Editor's Note (Shpantzer): Note that Mac users are also exposed to the Office for Mac vulnerability. ]

Chinese Mobile Phone Ransomware (March 5, 2008)

The Kiazha-A Trojan horse program has been infecting Symbian series 60 mobile phones in China. The malware deletes all text messages and displays a message telling the users that their phones have been infected and will be rendered useless unless they send RMB 50 yuan (US $7). Kiazha-A is part of a malware bundle known as MultiDropper-CR; phones can be infected through Bluetooth or MMS messages.
-http://www.theregister.co.uk/2008/03/05/mobile_ransomware_trojan/print.html
-http://www.vnunet.com/vnunet/news/2211194/ransomware-goes-mobile

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Thirty Thousand PCs and Macs used In "Overwhelming" DDoS Attack on UK Gambling Site (March 6, 2008)

A British gambling site was disabled for a half hour by an "unstoppable" denial of service attack. The attack generated a sustained 10 gigabits of traffic fro more than 30,000 Macs and PCs that had been converted to bots.
-http://software.silicon.com/security/0,39024655,39170296,00.htm

Children's Personal Data on Stolen Memory Stick (March 5 & 6, 208)

A memory stick plugged into a laptop computer stolen from a Shropshire (UK) medical center holds personally identifiable information of more than 200 children. The computer "had been fitted with encryption software to comply with ... NHS security standards" and its remote access has been disabled to prevent it from connecting to the NHS network. It also had tracking technology installed. The data on the memory stick include names, dates of birth, addresses and information about the treatment they received for speech and language therapy. Patients and their families were notified promptly.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9066858&source=rss_topic17
-http://www.shropshirestar.com/2008/03/05/details-on-200-children-stolen/
[Editor's Note (Shpantzer): Most full disk encryption software packages come with free USB encryption. For some reason a lot of organizations don't take advantage of this feature. ]

STATISTICS, STUDIES & SURVEYS

Survey: National Security Outweighs Privacy (March 3, 2008)

A survey of 474 US federal, state, and local government IT professionals found that more than half believe national security is more important than personal privacy. Sixty-nine percent of respondents said identity management is important to their organizations; 72 percent believe that importance will increase over the next five years. Fifty-six percent of the IT professionals were aware of someone having violated their organizations' security protocols. Seventy-six percent say their agencies have secured their information systems.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206901345
-http://www.quest.com/newsroom/news-releases-show.aspx?contentid=6954

MISCELLANEOUS

LIST OF UPCOMING FREE SANS WEBCASTS

ISC Threat Update: March 2008
WHEN: Wednesday, March 12, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johaness Ullrich and Tony Magallanez
-http://www.sans.org/info/24623
Sponsored By: F-Secure

The SANS Internet Storm Center (ISC) uses advanced data correlation and visualization techniques to analyze data collected from thousands of sensors in over sixty countries. Experienced analysts constantly monitor the Storm Center data feeds searching for trends and anomalies in order to identify potential threats. When a threat is identified, the team immediately begins an intensive investigation to gauge the threat's severity and impact. This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
WhatWorks Webcast: PaulDotCom's Penetration Testing Dojo: Core IMPACT Style
WHEN: Tuesday, March 18, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Paul Asadoorian
-http://www.sans.org/info/24628
Sponsored By: Core Security Technologies

When beginning a security process at a consortium of non-profits, senior network security engineer, Paul Asadoorian of Pauldotcom began looking for a penetration testing tool that did network, web application and social engineering tests. The tool he purchased is low on manpower use, mostly self-maintaining and reliably proves the existence of network vulnerabilities. Please attend this webcast to find out why Paul selected CORE IMPACT and learn how it can help you safely perform network, web application and end-user penetration testing.

***
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole
This Month's Topic: Encryption
WHEN: Wednesday, March 19, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/24633


Based on first-hand experience, this talk will look at areas where encryption should be used and how to avoid common mistakes. Dr. Cole will also identify areas where encryption should not be deployed. Overall, this talk will provide expert knowledge of the landscape of encryption, proper uses and common pitfalls. Register now for this free webcast!

***
Ask the Expert: Malcode Analysis and Response: Proficiency vs. Complexity
WHEN: Thursday, March 20, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Matt Allen and Russ McRee
-https://www.sans.org/webcasts/show.php?webcastid=91808
Sponsored By: Norman Data Defense Systems

The threat landscape changes constantly, driven in part by the "bot economy" and changing malcode techniques. In response, incident handler techniques must keep pace. This presentation will cover the use of RAPIER, a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst. From detection and discovery, capture and containment, count on a useful discussion meant to further your incident response practices.

***
Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
-https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

***
Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Larry Suto
-http://www.sans.org/info/24653
Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/